Wednesday, December 26, 2012

Stocking stuffers.
ZeroAccess rootkit is far from new and exciting but but this is a fresh lot with still active C2 servers.
Although the dropper is detected by at least half of AV engines, post infection detection is another story. I tried Kaspersky TDSS Killer, Avast Rootkit utility and RootRepeal without any success. I used Gmer and LordPE to carve out the hidden file from the memory. You can use Redline or Volatility too.
You can download 5 files below together with pcaps from one of the files and the file dumped from memory. It appears that free videos and apps names are used as the lure in this case.

Monday, December 17, 2012

End of the year presents continue.
Here is an excellent analysis made by the Fireeye: To Russia with Targeted Attack. I am posting all the necessary details for this type of malware to be findable on Google plus the sample and pcap for signature development. Fireeye named it “Sanny” after one of the email addresses and many AV vendors called the dropper Win32.Daws.

Wednesday, December 5, 2012

Better late than never. Here are the samples of the recent twin newsmakers OSX/Dockster.A and Win32/Trojan.Agent.AXMO. The malware was already described and hashes published but I thought I would add traffic captures and samples themselves.

I ran these samples on Thursday, November 29 (OSX) and Friday, November 30 (Agent.AXMO) when the C&C servers were still online. Intego mentioned the address itsec.eicp.net was not registered and it was possibly a test but it is a dynamic DNS address and it was down by the weekend.Credit for the sample goes to an anonymous Santa.

I have to admit that my knowledge of OSX malware leaves much to be desired. When we deal with Windows malware, range of choices for capturing, logging, recording, and analyzing is similar to this. I cannot name more than a few for MAC OSX - Wireshark, native Apple syslogs, IDA, Macmemoryze from Mandiant, and a few more below. If you have some good recent papers and tools lists for OSX malware analysis please share.Read more herehttp://www.f-secure.com/weblog/archives/00002466.html

Malware samples are available for download by any responsible whitehat researcher. By downloading the samples, anyone waives all rights to claim punitive, incidental and consequential damages resulting from mishandling or self-infection.